Anonymity of Cryptocurrencies Part II – Cryptonote & Darkcoin

3

Although total anonymity is not feasible at the moment, a lesser form of high security may be. Cryptonote-based currencies can use ring signatures, as opposed to group signatures which require a trusted party. Each transaction with Bitcoin has a public key tied to it which requires a small script to be produced to spend the output using that key. When people view this transaction they see that the old output is used and that new outputs have been created.

What Are Ring Signatures?

Ring signatures are different. They are tied to an arbitrary group of public keys and only one needs to be known to sign the transaction. Cryptonote does this by having every transaction input actually be a set of unspent outputs of that same value, signing it using all those outputs’ keys. This makes it impossible to differentiate transactions and uncover who is the actual signer. Whilst this technology is sound, not every implementation is. Boolberry and Monero are the only two working, sound implementations, with alternatives like Bytecoin not being worthwhile.

Ring Signature

An example of ring signatures being implemented in Bitmonero, a fork of Bytecoin.

The question arises, if it is not possible to uncover which outputs are spent, how can the system prevent scammers from double-spending the same outputs? A special algorithm has the actual signing key imprinted with a key image that must be published when the signature is. This cannot be reversed to find the original key or de-anonymize the sender, however, it allows users to see a reused key image and choose not to participate in the scam transaction.

The Technical Potential of Cryptonote

Cryptonote is one of the strongest options, however, it is not totally zero-knowledge. An especially determined investigator may still be able to uncover an identity due to the small amount of information input by the user. It is an extremely useful advancement, with problems that are mostly fixable. Scalability is a large issue, as ordinary Bitcoin stores the total list of unspent outputs on a node with limited storage. Cryptonote stores all of this on RAM, which severely limits its potential to scale. This can be changed through forcing users to store only outputs of the keys they own and a few others to remain anonymous. Improving on this system allows for the equivalent of CoinJoin-ing all transactions in every block, with the exceptions that a miner could de-anonymize the CoinJoin and it is not possible for Cryptonote to detect a cheating miner.

Cryptonote

This diagram shows how Cryptonote uses complex ring signatures to achieve anonymity.

Another issue is that anonymity might be compromised by others in the set, outputting a ring signature with two other outputs may see the other two output owners spending their funds with a single signature. This makes it possible to know who spent their funds, since each output can only be used once, and this can be done long after the transaction occurs. Two out of three individuals confirmed to have spent leaves only one individual unspent, compromising security through potential identification. A possible solution is having Cryptonote require a minimum size of a set.

However, that leads to another problem — only so many outputs of any size can exist, and all outputs in an anonymous set must be the same size so that the network can determine how much is being spent. Solving this would require allowing outputs of any size in each anonymous set, then taking the minimum size to be the spent amount. The potential for the smallest size user to be uncovered is also a real threat, since each Cryptonote output can only be spent once. A solution exists where every single output can be read as a single, uniform, distribution of outputs. One might spend half a Bitcoin, and two might spend three .33 of a Bitcoin, the network would add it as one total Bitcoin. A feasible anonymous set size is possible with this system, though it is possible to be compromised by certain users revealing their secret keys, however there is no known way to prevent that on any system.

Anonymity Via Darkcoin

Darkcoin operates like a somewhat broken version of CoinJoin on the normal Bitcoin client. DarkSend+ sees the possibility of anonymizing all coins automatically at an interval, not just when they are sent, leaving the entire corpus of coins as anonymous values. The masternode system would also tie multiple DarkSend passes together to increase security, allowing for security even if certain nodes are compromised. It could see serious benefit later on, however, until serious technological innovations are made, alt-coin security systems have serious fundamental issues.

Tune in next week for a discussion on Dark Wallet and the Byzantine Cycle!

Find the best exchange to buy Bitcoins


Coinbrief

Coin Brief is an open source website for digital news. It provides cryptocurrency tools, mining calculators, tutorials, and more. It was acquired by 99Bitcoins on September 2015.

3 Comments

  1. In your progression from “dabbling to a sincere devotion”, you are right to say you have “a lot to learn!”
    In that vein, it would do you well to accept the generous offer from vertoe… get some in-depth knowledge and then maybe some discussion.

  2. Why is Darkcoin’s coinjoin “somewhat broken”? Where did you research that? And what “fundamental issues” are you talking about but not explaining them? I wouldn’t mind to join an open discussion about that and if you are interested I can supply in-depth information on Darkcoin and privacy-centric altcoins in general. As I read this, this article seems a bit immature and not well researched.

  3. Alexander Rose-Dell on

    Ali,
    While your comments on ring signatures and Cryptonote systems are up to date and even handed your comments on Darkcoin are less than satisfactory!
    The Darksend system is based on coinjoin but the addition of the diverse masternode obfuscation system is an evolutionary jump that leaves coinjoin looking like a distant relative.
    Darksend is the only crypto currency Anonymity system to receive a serious independent code and functionality review in the shape of Kristov Atlas’s excellent treatise to be found here.

    blog.anonymousbitcoinbook.com/2014/08/visualizing-one-round-of-darkcoins-darksend/

    http://cdn.anonymousbitcoinbook.com/darkcoin/darksend-paper/Atlas_Darksend-Analysis-v001.pdf

    This thorough review highlighted some potential issues that have already been addressed by Evan Duffield the principal DarkCoin Dev.

    https://darkcointalk.org/threads/reply-to-kristovs-paper.2325/

    Darkcoin is due to go fully open source tomorrow 29/09/14 as for all intents and purposes Darksend will be finished,fully functional and ready for merchant adoption.

    Thanks for the article.
    Keep up the good work.